Data breaches are problematic for companies in ways large and small, and yet consumers affected by these events have had difficulty establishing their claims in court. Historically, courts have dismissed data breach claims for lack of standing, the absence of a cognizable injury under state law, or the failure to satisfy the stringent requirements for class certification, among other reasons. Will this trend continue, or will the plaintiffs’ bar overcome these issues to field new and dangerous theories of liability against companies victimized by data breaches? How will the courts respond to new theories of liability, and how should companies prepare themselves for the next wave of consumer data breach litigation? In this series of three articles, we will examine these questions and offer insight about what may be just around the corner.
Plaintiffs alleging claims based on lost or stolen personal information face daunting hurdles in federal court. Perhaps most significant among these is the standing requirement of Article III of the Constitution, which requires an actual “case or controversy” between the parties. At first blush, a company’s large scale loss of credit card information would seem to establish, at the very least, a “controversy” between the affected consumer and the custodian of that sensitive information. Yet, in practice, standing has not been so easily satisfied.
To show Article III standing, plaintiffs must demonstrate an “injury in fact” that is “actual” or “imminent.” This becomes problematic where personal information has been lost or compromised but not yet misused. In these situations, which are typical in most data breach cases, federal courts have considered the claims indefinite and speculative — at least until the stolen information causes actual harm to the consumer.
The Supreme Court’s recent decision in Clapper v. Amnesty International USA illustrates the predicament. Clapper rejected a challenge to the constitutionality of a federal electronic surveillance statute, holding that mere fear of government interception of electronic communications is too speculative to confer legal standing. Although plaintiffs directed their claim at the federal government rather than a company that lost confidential consumer information, the Court’s rationale applies equally to data breach claims. Clapper stressed that standing requires a “substantial risk” of actual harm — not simply a generalized fear of future consequences.
Relying on Clapper and other decisions, courts have found no standing even where data breach plaintiffs incurred costs to monitor credit in the event their personal information might be misused. Likewise, plaintiffs failed to show standing where “cookies” were used to track plaintiffs’ browsing habits, but no economic harm resulted from information obtained from the practice. In these cases, courts have held that the risk of future harm associated with stolen personal information is simply too speculative to confer Article III standing.
Standing is not the only hurdle facing data breach plaintiffs. A claim that satisfies the standing requirement may yet be dismissed if it fails to allege a “cognizable injury” under state law. In other words, the court may acknowledge a plaintiff has standing but conclude that state law simply does not provide a remedy for the alleged injury. For example, in a much publicized data breach case against Sony, the court partially dismissed plaintiffs’ amended complaint, holding that although plaintiffs had standing to assert claims for breach of contract, they had failed to state claims for negligence, negligent misrepresentation, and violations of state consumer protection acts.
In another highly-publicized data breach case, Anderson v. Hannaford Bros. Co., the 1st Circuit Court of Appeals distinguished situations where a company inadvertently exposes consumer data but the information is not misused, from those where sophisticated thieves deliberately steal data intending to use it for their financial advantage. In Hannaford, the court held that certain categories of costs incurred by the plaintiffs were “reasonably foreseeable mitigation costs” and constituted cognizable harm under Maine law. Importantly, the court decided Hannaford against the backdrop of reports of a sophisticated theft of thousands of credit numbers, where fraudulent charges had already resulted from the same security breach. Ultimately, those urgent circumstances satisfied the court that plaintiffs’ costs in mitigating the harm were sufficiently justified to constitute a cognizable injury. Despite this ruling, many data breach cases falling short of these facts continue to struggle demonstrating a “cognizable injury” under state law.
Class certification presents another formidable obstacle for data breach plaintiffs. To certify a class of data breach plaintiffs, Rule 23 of the Federal Rules of Civil Procedure requires, among other things, a showing that questions of law or fact common to class members predominate over questions affecting individual members. The Hannaford case discussed above illustrates the challenges of class certification for data breach claims. In that case, the trial court denied certification, holding that plaintiffs failed to provide expert testimony to support their theory of class-wide damages. As a result, common issues regarding class members would not predominate over individual issues with regard to damages.
The Hannaford decision was recently echoed in In re Google Inc. Gmail Litig, where the U.S. District Court for the Northern District of California denied class certification with prejudice, holding that “individual issues regarding consent [of Google’s privacy policies] are likely to overwhelmingly predominate over common issues.” In a related vein, the Supreme Court reinforced the difficulties of demonstrating commonality in the recent decision of Comcast Corp. v. Behrend, where the Court reminded lower courts to employ “a rigorous analysis” of the commonality requirements of a putative class, including that damages can be measured class wide.
In the face of the challenges facing plaintiffs in data breach claims, plaintiffs have begun to refine their approach to overcome the hurdles of standing, cognizable injury, and class certification. Creative new theories of actual economic harm — for example allegations that a company’s online tracking of personal information on mobile devices adversely affects battery life and performance — have met with mixed success. In the next two articles in this series, we will explore alternative theories of data breach liability that have begun to gain legal traction, and provide guidance on what steps companies can take to mitigate their exposure to these emerging trends.